Skillset

On a daily basis,we are encountering thousands of new types of malware with unknown content. This malware can come from honeypots, infected websites or even be submitted by users.Analyzing all these binaries will take any malware analyst a long time. That’s why it’s critical to have an automated way to classify different types of malicious code.

Open source tools like ClamAV and YARA we can tell us if an unknown file has already been classified as malicious. If we have a fresh database with the latest signatures, we will not spend time analyzing binaries other researchers have already identified. That lets us spend our time analyzing other new or unique types of malware.

Installing ClamAV:

ClamAV is an open source (GPL) anti-virus toolkit, the AV tasks are handled by three processes:

clamd is a multi-threaded antivirus daemon — the configuration file is located in /etc/clamd.conf

clamscan a command line antivirus scanner.

We need to install the latest release of ClamAV or we will have a warning message about a reduced functionality and this mean that you may not be able to use all the available virus signatures.

The most recent version of ClamAV is available from http://www.clamav.net/download/sources/. But you can also use a package manager to install it. OnaUbuntu machine, type the following commands:
$ sudo apt-get install clamav clamav-freshclam

First you can start by updating ClamAV signatures:
$ sudo freshclam

Then you run a scan on any suspicious file to check if it is infected or not:
$ sudo Clamscan

Scanning a folder with infected files

After analyzing the folders there are already infected files such as Trojan proxies that allow malicious users to control the victimized machine and use it as a proxy for spamming other people or perform any number of other malicious activities from their remote computer.

Installing YARA:

YARA is an extremely flexible identification and classification engine written by Victor Manuel Alvarez of Hipasec Sistemas. It runs on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

YARA rules are easy to write and understand. They have a syntax that resembles a C struct declaration. However creating thousands of rules takes a lot of time and effort. That’s why it makes more sense to use ClamAV signatures. Usually ClamAV signatures can be found under /usr/local/share/clamav or /usr/lib/clamav on Linux systems. This is where you will find the main.cld and daily.cld. Alternately, they may have .cvd extensions, main.cld file contains the primary base of signatures and daily.cld contains incremental daily updates.

To Install YARA on Ubuntu we need the PCRE and some libraries first:
$ sudo apt-get install libpcre3 libpcre3-dev

The clamav_to_yara.py script by Matthew Richard can help in converting ClamAV signatures to meet the requirements of YARA. To convert you run the following commnd:
$ python clamav_to_yara.py -f main.ndb -o clamav.yara

Converting ClamAV Signatures to YARA

To scan a folder that contains suspicious files with the new clamav.yara rules, you run the following:
$ yara -r clamav.yara /data/malcode

Next you can check the clamav.yara file and you should find the rules created according to YARA format.

YARA Rules Created

Now it is important to note that many modern malwares are using obfuscation to hide their presence on the system this include coding, encryption and packing. Using YARA with the previous signature will not identify packers, to handle packers you need to add PEiD which is a GUI tool that detect them. The YARA project’s wiki2 provides a handful of sample packer rules based on the PEiD database.

Here are some rules for detecting packers based on PEiD signatures you can add them directly to the converted YARA Rules:

Using these tools allow you to quickly identify known malware. The ClamAV may show that the suspicious file is a known malware. At this point, you will classify the incident under the name of this malware with a detailed report and briefing about the incident.

If after using ClamAV, it is still an unknown file type and there is no clear information about the suspicious file, we will need to go to the next step in analyzing the file. This will either require with a static analysis (to examine the code) or a dynamic analysis (executing the malware in a monitored environment to observe its behaviors).

With YARA you can create descriptions of malware families based on textual or binary patterns contained in samples fromthose families. You can create rules to find malware that attempts to brute force accounts and logins or create rules with antivirus process/service or domain names to identify malware that attempts to terminate or disable A/V products.

YARA is used by VirusTotal Malware Intelligence Services (http://vt-mis.com),jsunpack-n (http://jsunpack.jeek.org/) and We Watch Your Website (http://www.wewatchyourwebsite.com/)

Mourad Ben Lakhoua is a security researcher for InfoSec Institute and an Information Security practitioner specializing in Cybersecurity, Penetration Testing, Risk Management, Cloud Computing, Social Media and Network System Security. He works as a security researcher at Tunisian Computer Emergency and Response Team tun-CERT.

You can find more of his articles, analysis and commentary at http://www.infosecisland.com, where he is a featured contributor.

Related Boot Camps

Can you explain in detail how you added the pak rules to the default yara rules? I’m having difficulties adding them.

Thanks

http://www.sectechno.com/ Mourad

Hello Robert,

After installing yara you can have the packer rule set in a separate file let’s call it packer1 and you can run yara against your binary with the rule set for example:

$ yara -r packer1 /data/Malware

The rules are based on the PEiD signatures, if you will still have difficulties you can send the procedures you follow in your work to the following e-mail: info@sectechno.com

Kiril

I’m using the same conversion method (clamav_to_yara.py) but the resulting clamav.yara file contains invalid YARA jumps (lots of [4-4]). Do you have any idea why is this happening and how should I fix this?

Matt

You need to type “sudo clamscan -r” to get this working on ubuntu 12.04

reza kazemi

Hello Mourad.
my name is reza kazemi.
I’m busy doing a university research about anti VM, anti virus, anti debugger.
therefore I need a database of yara signatures for detect and identify anti VM, anti virus, anti debugger.
please document, file or an example of code written Yara in about this topic give me.
Please give me tips

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Does your employer pay for training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam